Skip to main content

Netskope Help

Salesforce Key Management

Salesforce Key Management allows you to use Salesforce's Bring Your Own Key (BYOK) feature, which enables you to generate and provide your own tenant secret to derive encryption keys for increased security.

Your Salesforce account must have the Manage Encryption Keys administrative permissions for the user's parent profile in order to use this feature. You can set this permission from the SETUP > ADMINISTRATION > Users > Profiles page of the Lightning Experience UI of Salesforce. Select the custom administrator profile you created as part of Salesforce API configuration. Edit the profile and select the Administrative Permissions > Manage Encryption Keys checkbox.


The Key Management configuration page appears on the API Data Protection dashboard page only if you have enabled the BYOK checkbox during the Salesforce app instance setup. Ensure that you have enabled this checkbox before proceeding further.

  1. Log in to the Netskope tenant UI.

  2. Navigate to API Data Protection and click the desired Salesforce app instance.

  3. On the top-right of the Files & Users page, click Key Management.

  4. The UI prompts to upload a certificate to enable key management. Click upload certificate.

  5. Select the certificate and click Upload.


    Upload a Privacy Enhanced Mail (PEM) encoded certificate only.

    What is the purpose of this certificate? The tenant secret that is uploaded to Salesforce while generating a new tenant secret is encrypted. The public key derived from this certificate is used to encrypt the 256-bit tenant secret generated from the Hardware Security Module (HSM). This certificate should be BYOK compatible. You can follow the Salesforce article described here. Before you upload the certificate, rename the file extension to .pem.

  6. Back on the Key Management page, click Generate New Key to create a new tenant secret.

    The new tenant secret is used to derive the encryption key for future data encryption requests. The archived tenant secret is used to derive decryption key for previously encrypted data.


    • When a new tenant secret is generated, the active tenant secret is archived. To destroy an archived tenant secret, click the trash icon.

    • Tenant secret status can either be active, archived, or destroyed.

The key management table displays a lit of keys (active, archived, destroyed). The table displays the key ID, version, status, key manager, creation date, and last modified date.